1. Packages
  2. Keycloak
  3. API Docs
  4. Realm
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

keycloak.Realm

Explore with Pulumi AI

keycloak logo
Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi

    Allows for creating and managing Realms within Keycloak.

    A realm manages a logical collection of users, credentials, roles, and groups. Users log in to realms and can be federated from multiple sources.

    Default Client Scopes

    • default_default_client_scopes - (Optional) A list of default default client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default default client-scopes.
    • default_optional_client_scopes - (Optional) A list of default optional client scopes to be used for client definitions. Defaults to [] or keycloak’s built-in default optional client-scopes.

    Example Usage

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Keycloak = Pulumi.Keycloak;
    
    return await Deployment.RunAsync(() => 
    {
        var realm = new Keycloak.Realm("realm", new()
        {
            AccessCodeLifespan = "1h",
            Attributes = 
            {
                { "mycustomAttribute", "myCustomValue" },
            },
            DisplayName = "my realm",
            DisplayNameHtml = "<b>my realm</b>",
            Enabled = true,
            Internationalization = new Keycloak.Inputs.RealmInternationalizationArgs
            {
                DefaultLocale = "en",
                SupportedLocales = new[]
                {
                    "en",
                    "de",
                    "es",
                },
            },
            LoginTheme = "base",
            PasswordPolicy = "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
            RealmName = "my-realm",
            SecurityDefenses = new Keycloak.Inputs.RealmSecurityDefensesArgs
            {
                BruteForceDetection = new Keycloak.Inputs.RealmSecurityDefensesBruteForceDetectionArgs
                {
                    FailureResetTimeSeconds = 43200,
                    MaxFailureWaitSeconds = 900,
                    MaxLoginFailures = 30,
                    MinimumQuickLoginWaitSeconds = 60,
                    PermanentLockout = false,
                    QuickLoginCheckMilliSeconds = 1000,
                    WaitIncrementSeconds = 60,
                },
                Headers = new Keycloak.Inputs.RealmSecurityDefensesHeadersArgs
                {
                    ContentSecurityPolicy = "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                    ContentSecurityPolicyReportOnly = "",
                    StrictTransportSecurity = "max-age=31536000; includeSubDomains",
                    XContentTypeOptions = "nosniff",
                    XFrameOptions = "DENY",
                    XRobotsTag = "none",
                    XXssProtection = "1; mode=block",
                },
            },
            SmtpServer = new Keycloak.Inputs.RealmSmtpServerArgs
            {
                Auth = new Keycloak.Inputs.RealmSmtpServerAuthArgs
                {
                    Password = "password",
                    Username = "tom",
                },
                From = "example@example.com",
                Host = "smtp.example.com",
            },
            SslRequired = "external",
            WebAuthnPolicy = new Keycloak.Inputs.RealmWebAuthnPolicyArgs
            {
                RelyingPartyEntityName = "Example",
                RelyingPartyId = "keycloak.example.com",
                SignatureAlgorithms = new[]
                {
                    "ES256",
                    "RS256",
                },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-keycloak/sdk/v5/go/keycloak"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := keycloak.NewRealm(ctx, "realm", &keycloak.RealmArgs{
    			AccessCodeLifespan: pulumi.String("1h"),
    			Attributes: pulumi.AnyMap{
    				"mycustomAttribute": pulumi.Any("myCustomValue"),
    			},
    			DisplayName:     pulumi.String("my realm"),
    			DisplayNameHtml: pulumi.String("<b>my realm</b>"),
    			Enabled:         pulumi.Bool(true),
    			Internationalization: &keycloak.RealmInternationalizationArgs{
    				DefaultLocale: pulumi.String("en"),
    				SupportedLocales: pulumi.StringArray{
    					pulumi.String("en"),
    					pulumi.String("de"),
    					pulumi.String("es"),
    				},
    			},
    			LoginTheme:     pulumi.String("base"),
    			PasswordPolicy: pulumi.String("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername"),
    			Realm:          pulumi.String("my-realm"),
    			SecurityDefenses: &keycloak.RealmSecurityDefensesArgs{
    				BruteForceDetection: &keycloak.RealmSecurityDefensesBruteForceDetectionArgs{
    					FailureResetTimeSeconds:      pulumi.Int(43200),
    					MaxFailureWaitSeconds:        pulumi.Int(900),
    					MaxLoginFailures:             pulumi.Int(30),
    					MinimumQuickLoginWaitSeconds: pulumi.Int(60),
    					PermanentLockout:             pulumi.Bool(false),
    					QuickLoginCheckMilliSeconds:  pulumi.Int(1000),
    					WaitIncrementSeconds:         pulumi.Int(60),
    				},
    				Headers: &keycloak.RealmSecurityDefensesHeadersArgs{
    					ContentSecurityPolicy:           pulumi.String("frame-src 'self'; frame-ancestors 'self'; object-src 'none';"),
    					ContentSecurityPolicyReportOnly: pulumi.String(""),
    					StrictTransportSecurity:         pulumi.String("max-age=31536000; includeSubDomains"),
    					XContentTypeOptions:             pulumi.String("nosniff"),
    					XFrameOptions:                   pulumi.String("DENY"),
    					XRobotsTag:                      pulumi.String("none"),
    					XXssProtection:                  pulumi.String("1; mode=block"),
    				},
    			},
    			SmtpServer: &keycloak.RealmSmtpServerArgs{
    				Auth: &keycloak.RealmSmtpServerAuthArgs{
    					Password: pulumi.String("password"),
    					Username: pulumi.String("tom"),
    				},
    				From: pulumi.String("example@example.com"),
    				Host: pulumi.String("smtp.example.com"),
    			},
    			SslRequired: pulumi.String("external"),
    			WebAuthnPolicy: &keycloak.RealmWebAuthnPolicyArgs{
    				RelyingPartyEntityName: pulumi.String("Example"),
    				RelyingPartyId:         pulumi.String("keycloak.example.com"),
    				SignatureAlgorithms: pulumi.StringArray{
    					pulumi.String("ES256"),
    					pulumi.String("RS256"),
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.keycloak.Realm;
    import com.pulumi.keycloak.RealmArgs;
    import com.pulumi.keycloak.inputs.RealmInternationalizationArgs;
    import com.pulumi.keycloak.inputs.RealmSecurityDefensesArgs;
    import com.pulumi.keycloak.inputs.RealmSecurityDefensesBruteForceDetectionArgs;
    import com.pulumi.keycloak.inputs.RealmSecurityDefensesHeadersArgs;
    import com.pulumi.keycloak.inputs.RealmSmtpServerArgs;
    import com.pulumi.keycloak.inputs.RealmSmtpServerAuthArgs;
    import com.pulumi.keycloak.inputs.RealmWebAuthnPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var realm = new Realm("realm", RealmArgs.builder()        
                .accessCodeLifespan("1h")
                .attributes(Map.of("mycustomAttribute", "myCustomValue"))
                .displayName("my realm")
                .displayNameHtml("<b>my realm</b>")
                .enabled(true)
                .internationalization(RealmInternationalizationArgs.builder()
                    .defaultLocale("en")
                    .supportedLocales(                
                        "en",
                        "de",
                        "es")
                    .build())
                .loginTheme("base")
                .passwordPolicy("upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername")
                .realm("my-realm")
                .securityDefenses(RealmSecurityDefensesArgs.builder()
                    .bruteForceDetection(RealmSecurityDefensesBruteForceDetectionArgs.builder()
                        .failureResetTimeSeconds(43200)
                        .maxFailureWaitSeconds(900)
                        .maxLoginFailures(30)
                        .minimumQuickLoginWaitSeconds(60)
                        .permanentLockout(false)
                        .quickLoginCheckMilliSeconds(1000)
                        .waitIncrementSeconds(60)
                        .build())
                    .headers(RealmSecurityDefensesHeadersArgs.builder()
                        .contentSecurityPolicy("frame-src 'self'; frame-ancestors 'self'; object-src 'none';")
                        .contentSecurityPolicyReportOnly("")
                        .strictTransportSecurity("max-age=31536000; includeSubDomains")
                        .xContentTypeOptions("nosniff")
                        .xFrameOptions("DENY")
                        .xRobotsTag("none")
                        .xXssProtection("1; mode=block")
                        .build())
                    .build())
                .smtpServer(RealmSmtpServerArgs.builder()
                    .auth(RealmSmtpServerAuthArgs.builder()
                        .password("password")
                        .username("tom")
                        .build())
                    .from("example@example.com")
                    .host("smtp.example.com")
                    .build())
                .sslRequired("external")
                .webAuthnPolicy(RealmWebAuthnPolicyArgs.builder()
                    .relyingPartyEntityName("Example")
                    .relyingPartyId("keycloak.example.com")
                    .signatureAlgorithms(                
                        "ES256",
                        "RS256")
                    .build())
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_keycloak as keycloak
    
    realm = keycloak.Realm("realm",
        access_code_lifespan="1h",
        attributes={
            "mycustomAttribute": "myCustomValue",
        },
        display_name="my realm",
        display_name_html="<b>my realm</b>",
        enabled=True,
        internationalization=keycloak.RealmInternationalizationArgs(
            default_locale="en",
            supported_locales=[
                "en",
                "de",
                "es",
            ],
        ),
        login_theme="base",
        password_policy="upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
        realm="my-realm",
        security_defenses=keycloak.RealmSecurityDefensesArgs(
            brute_force_detection=keycloak.RealmSecurityDefensesBruteForceDetectionArgs(
                failure_reset_time_seconds=43200,
                max_failure_wait_seconds=900,
                max_login_failures=30,
                minimum_quick_login_wait_seconds=60,
                permanent_lockout=False,
                quick_login_check_milli_seconds=1000,
                wait_increment_seconds=60,
            ),
            headers=keycloak.RealmSecurityDefensesHeadersArgs(
                content_security_policy="frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                content_security_policy_report_only="",
                strict_transport_security="max-age=31536000; includeSubDomains",
                x_content_type_options="nosniff",
                x_frame_options="DENY",
                x_robots_tag="none",
                x_xss_protection="1; mode=block",
            ),
        ),
        smtp_server=keycloak.RealmSmtpServerArgs(
            auth=keycloak.RealmSmtpServerAuthArgs(
                password="password",
                username="tom",
            ),
            from_="example@example.com",
            host="smtp.example.com",
        ),
        ssl_required="external",
        web_authn_policy=keycloak.RealmWebAuthnPolicyArgs(
            relying_party_entity_name="Example",
            relying_party_id="keycloak.example.com",
            signature_algorithms=[
                "ES256",
                "RS256",
            ],
        ))
    
    import * as pulumi from "@pulumi/pulumi";
    import * as keycloak from "@pulumi/keycloak";
    
    const realm = new keycloak.Realm("realm", {
        accessCodeLifespan: "1h",
        attributes: {
            mycustomAttribute: "myCustomValue",
        },
        displayName: "my realm",
        displayNameHtml: "<b>my realm</b>",
        enabled: true,
        internationalization: {
            defaultLocale: "en",
            supportedLocales: [
                "en",
                "de",
                "es",
            ],
        },
        loginTheme: "base",
        passwordPolicy: "upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername",
        realm: "my-realm",
        securityDefenses: {
            bruteForceDetection: {
                failureResetTimeSeconds: 43200,
                maxFailureWaitSeconds: 900,
                maxLoginFailures: 30,
                minimumQuickLoginWaitSeconds: 60,
                permanentLockout: false,
                quickLoginCheckMilliSeconds: 1000,
                waitIncrementSeconds: 60,
            },
            headers: {
                contentSecurityPolicy: "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
                contentSecurityPolicyReportOnly: "",
                strictTransportSecurity: "max-age=31536000; includeSubDomains",
                xContentTypeOptions: "nosniff",
                xFrameOptions: "DENY",
                xRobotsTag: "none",
                xXssProtection: "1; mode=block",
            },
        },
        smtpServer: {
            auth: {
                password: "password",
                username: "tom",
            },
            from: "example@example.com",
            host: "smtp.example.com",
        },
        sslRequired: "external",
        webAuthnPolicy: {
            relyingPartyEntityName: "Example",
            relyingPartyId: "keycloak.example.com",
            signatureAlgorithms: [
                "ES256",
                "RS256",
            ],
        },
    });
    
    resources:
      realm:
        type: keycloak:Realm
        properties:
          accessCodeLifespan: 1h
          attributes:
            mycustomAttribute: myCustomValue
          displayName: my realm
          displayNameHtml: <b>my realm</b>
          enabled: true
          internationalization:
            defaultLocale: en
            supportedLocales:
              - en
              - de
              - es
          loginTheme: base
          passwordPolicy: upperCase(1) and length(8) and forceExpiredPasswordChange(365) and notUsername
          realm: my-realm
          securityDefenses:
            bruteForceDetection:
              failureResetTimeSeconds: 43200
              maxFailureWaitSeconds: 900
              maxLoginFailures: 30
              minimumQuickLoginWaitSeconds: 60
              permanentLockout: false
              quickLoginCheckMilliSeconds: 1000
              waitIncrementSeconds: 60
            headers:
              contentSecurityPolicy: frame-src 'self'; frame-ancestors 'self'; object-src 'none';
              contentSecurityPolicyReportOnly:
              strictTransportSecurity: max-age=31536000; includeSubDomains
              xContentTypeOptions: nosniff
              xFrameOptions: DENY
              xRobotsTag: none
              xXssProtection: 1; mode=block
          smtpServer:
            auth:
              password: password
              username: tom
            from: example@example.com
            host: smtp.example.com
          sslRequired: external
          webAuthnPolicy:
            relyingPartyEntityName: Example
            relyingPartyId: keycloak.example.com
            signatureAlgorithms:
              - ES256
              - RS256
    

    Create Realm Resource

    new Realm(name: string, args: RealmArgs, opts?: CustomResourceOptions);
    @overload
    def Realm(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              access_code_lifespan: Optional[str] = None,
              access_code_lifespan_login: Optional[str] = None,
              access_code_lifespan_user_action: Optional[str] = None,
              access_token_lifespan: Optional[str] = None,
              access_token_lifespan_for_implicit_flow: Optional[str] = None,
              account_theme: Optional[str] = None,
              action_token_generated_by_admin_lifespan: Optional[str] = None,
              action_token_generated_by_user_lifespan: Optional[str] = None,
              admin_theme: Optional[str] = None,
              attributes: Optional[Mapping[str, Any]] = None,
              browser_flow: Optional[str] = None,
              client_authentication_flow: Optional[str] = None,
              client_session_idle_timeout: Optional[str] = None,
              client_session_max_lifespan: Optional[str] = None,
              default_default_client_scopes: Optional[Sequence[str]] = None,
              default_optional_client_scopes: Optional[Sequence[str]] = None,
              default_signature_algorithm: Optional[str] = None,
              direct_grant_flow: Optional[str] = None,
              display_name: Optional[str] = None,
              display_name_html: Optional[str] = None,
              docker_authentication_flow: Optional[str] = None,
              duplicate_emails_allowed: Optional[bool] = None,
              edit_username_allowed: Optional[bool] = None,
              email_theme: Optional[str] = None,
              enabled: Optional[bool] = None,
              internal_id: Optional[str] = None,
              internationalization: Optional[RealmInternationalizationArgs] = None,
              login_theme: Optional[str] = None,
              login_with_email_allowed: Optional[bool] = None,
              oauth2_device_code_lifespan: Optional[str] = None,
              oauth2_device_polling_interval: Optional[int] = None,
              offline_session_idle_timeout: Optional[str] = None,
              offline_session_max_lifespan: Optional[str] = None,
              offline_session_max_lifespan_enabled: Optional[bool] = None,
              otp_policy: Optional[RealmOtpPolicyArgs] = None,
              password_policy: Optional[str] = None,
              realm: Optional[str] = None,
              refresh_token_max_reuse: Optional[int] = None,
              registration_allowed: Optional[bool] = None,
              registration_email_as_username: Optional[bool] = None,
              registration_flow: Optional[str] = None,
              remember_me: Optional[bool] = None,
              reset_credentials_flow: Optional[str] = None,
              reset_password_allowed: Optional[bool] = None,
              revoke_refresh_token: Optional[bool] = None,
              security_defenses: Optional[RealmSecurityDefensesArgs] = None,
              smtp_server: Optional[RealmSmtpServerArgs] = None,
              ssl_required: Optional[str] = None,
              sso_session_idle_timeout: Optional[str] = None,
              sso_session_idle_timeout_remember_me: Optional[str] = None,
              sso_session_max_lifespan: Optional[str] = None,
              sso_session_max_lifespan_remember_me: Optional[str] = None,
              user_managed_access: Optional[bool] = None,
              verify_email: Optional[bool] = None,
              web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
              web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None)
    @overload
    def Realm(resource_name: str,
              args: RealmArgs,
              opts: Optional[ResourceOptions] = None)
    func NewRealm(ctx *Context, name string, args RealmArgs, opts ...ResourceOption) (*Realm, error)
    public Realm(string name, RealmArgs args, CustomResourceOptions? opts = null)
    public Realm(String name, RealmArgs args)
    public Realm(String name, RealmArgs args, CustomResourceOptions options)
    
    type: keycloak:Realm
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args RealmArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RealmArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RealmArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RealmArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RealmArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Realm Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The Realm resource accepts the following input properties:

    RealmName string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    AccessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    AccessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    AccessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    AccessTokenLifespan string

    The amount of time an access token can be used before it expires.

    AccessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    AccountTheme string

    Used for account management pages.

    ActionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    ActionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    AdminTheme string

    Used for the admin console.

    Attributes Dictionary<string, object>

    A map of custom attributes to add to the realm.

    BrowserFlow string

    The desired flow for browser authentication. Defaults to browser.

    ClientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    ClientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    ClientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    DefaultDefaultClientScopes List<string>
    DefaultOptionalClientScopes List<string>
    DefaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    DirectGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    DisplayName string

    The display name for the realm that is shown when logging in to the admin console.

    DisplayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    DockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    DuplicateEmailsAllowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    EditUsernameAllowed bool

    When true, the username field is editable.

    EmailTheme string

    Used for emails that are sent by Keycloak.

    Enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    InternalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    Internationalization RealmInternationalization
    LoginTheme string

    Used for the login, forgot password, and registration pages.

    LoginWithEmailAllowed bool

    When true, users may log in with their email address.

    Oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    Oauth2DevicePollingInterval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    OfflineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    OfflineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    OfflineSessionMaxLifespanEnabled bool

    Enable offline_session_max_lifespan.

    OtpPolicy RealmOtpPolicy
    PasswordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    RefreshTokenMaxReuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    RegistrationAllowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    RegistrationEmailAsUsername bool

    When true, the user's email will be used as their username during registration.

    RegistrationFlow string

    The desired flow for user registration. Defaults to registration.

    RememberMe bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    ResetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    ResetPasswordAllowed bool

    When true, a "forgot password" link will be displayed on the login page.

    RevokeRefreshToken bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    SecurityDefenses RealmSecurityDefenses
    SmtpServer RealmSmtpServer
    SslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    SsoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    SsoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    SsoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    SsoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    UserManagedAccess bool

    When true, users are allowed to manage their own resources. Defaults to false.

    VerifyEmail bool

    When true, users are required to verify their email address after registration and after email address changes.

    WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    WebAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    Realm string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    AccessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    AccessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    AccessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    AccessTokenLifespan string

    The amount of time an access token can be used before it expires.

    AccessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    AccountTheme string

    Used for account management pages.

    ActionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    ActionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    AdminTheme string

    Used for the admin console.

    Attributes map[string]interface{}

    A map of custom attributes to add to the realm.

    BrowserFlow string

    The desired flow for browser authentication. Defaults to browser.

    ClientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    ClientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    ClientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    DefaultDefaultClientScopes []string
    DefaultOptionalClientScopes []string
    DefaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    DirectGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    DisplayName string

    The display name for the realm that is shown when logging in to the admin console.

    DisplayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    DockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    DuplicateEmailsAllowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    EditUsernameAllowed bool

    When true, the username field is editable.

    EmailTheme string

    Used for emails that are sent by Keycloak.

    Enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    InternalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    Internationalization RealmInternationalizationArgs
    LoginTheme string

    Used for the login, forgot password, and registration pages.

    LoginWithEmailAllowed bool

    When true, users may log in with their email address.

    Oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    Oauth2DevicePollingInterval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    OfflineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    OfflineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    OfflineSessionMaxLifespanEnabled bool

    Enable offline_session_max_lifespan.

    OtpPolicy RealmOtpPolicyArgs
    PasswordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    RefreshTokenMaxReuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    RegistrationAllowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    RegistrationEmailAsUsername bool

    When true, the user's email will be used as their username during registration.

    RegistrationFlow string

    The desired flow for user registration. Defaults to registration.

    RememberMe bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    ResetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    ResetPasswordAllowed bool

    When true, a "forgot password" link will be displayed on the login page.

    RevokeRefreshToken bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    SecurityDefenses RealmSecurityDefensesArgs
    SmtpServer RealmSmtpServerArgs
    SslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    SsoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    SsoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    SsoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    SsoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    UserManagedAccess bool

    When true, users are allowed to manage their own resources. Defaults to false.

    VerifyEmail bool

    When true, users are required to verify their email address after registration and after email address changes.

    WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    WebAuthnPolicy RealmWebAuthnPolicyArgs

    Configuration for WebAuthn Policy authentication.

    realm String

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    accessCodeLifespan String

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin String

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction String

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan String

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow String

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme String

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan String

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan String

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme String

    Used for the admin console.

    attributes Map<String,Object>

    A map of custom attributes to add to the realm.

    browserFlow String

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow String

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout String

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes List<String>
    defaultOptionalClientScopes List<String>
    defaultSignatureAlgorithm String

    Default algorithm used to sign tokens for the realm.

    directGrantFlow String

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName String

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml String

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow String

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed Boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed Boolean

    When true, the username field is editable.

    emailTheme String

    Used for emails that are sent by Keycloak.

    enabled Boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId String

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalization
    loginTheme String

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed Boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan String

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval Integer

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout String

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan String

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled Boolean

    Enable offline_session_max_lifespan.

    otpPolicy RealmOtpPolicy
    passwordPolicy String

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    refreshTokenMaxReuse Integer

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed Boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername Boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow String

    The desired flow for user registration. Defaults to registration.

    rememberMe Boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow String

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed Boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken Boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses RealmSecurityDefenses
    smtpServer RealmSmtpServer
    sslRequired String

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout String

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe String

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe String

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess Boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail Boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    realm string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    accessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan string

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme string

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme string

    Used for the admin console.

    attributes {[key: string]: any}

    A map of custom attributes to add to the realm.

    browserFlow string

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes string[]
    defaultOptionalClientScopes string[]
    defaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    directGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName string

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed boolean

    When true, the username field is editable.

    emailTheme string

    Used for emails that are sent by Keycloak.

    enabled boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalization
    loginTheme string

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval number

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled boolean

    Enable offline_session_max_lifespan.

    otpPolicy RealmOtpPolicy
    passwordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    refreshTokenMaxReuse number

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow string

    The desired flow for user registration. Defaults to registration.

    rememberMe boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses RealmSecurityDefenses
    smtpServer RealmSmtpServer
    sslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    realm str

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    access_code_lifespan str

    The maximum amount of time a client has to finish the authorization code flow.

    access_code_lifespan_login str

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    access_code_lifespan_user_action str

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    access_token_lifespan str

    The amount of time an access token can be used before it expires.

    access_token_lifespan_for_implicit_flow str

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    account_theme str

    Used for account management pages.

    action_token_generated_by_admin_lifespan str

    The maximum time a user has to use an admin-generated permit before it expires.

    action_token_generated_by_user_lifespan str

    The maximum time a user has to use a user-generated permit before it expires.

    admin_theme str

    Used for the admin console.

    attributes Mapping[str, Any]

    A map of custom attributes to add to the realm.

    browser_flow str

    The desired flow for browser authentication. Defaults to browser.

    client_authentication_flow str

    The desired flow for client authentication. Defaults to clients.

    client_session_idle_timeout str

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    client_session_max_lifespan str

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    default_default_client_scopes Sequence[str]
    default_optional_client_scopes Sequence[str]
    default_signature_algorithm str

    Default algorithm used to sign tokens for the realm.

    direct_grant_flow str

    The desired flow for direct access authentication. Defaults to direct grant.

    display_name str

    The display name for the realm that is shown when logging in to the admin console.

    display_name_html str

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    docker_authentication_flow str

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicate_emails_allowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    edit_username_allowed bool

    When true, the username field is editable.

    email_theme str

    Used for emails that are sent by Keycloak.

    enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    internal_id str

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalizationArgs
    login_theme str

    Used for the login, forgot password, and registration pages.

    login_with_email_allowed bool

    When true, users may log in with their email address.

    oauth2_device_code_lifespan str

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2_device_polling_interval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offline_session_idle_timeout str

    The amount of time an offline session can be idle before it expires.

    offline_session_max_lifespan str

    The maximum amount of time before an offline session expires regardless of activity.

    offline_session_max_lifespan_enabled bool

    Enable offline_session_max_lifespan.

    otp_policy RealmOtpPolicyArgs
    password_policy str

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    refresh_token_max_reuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registration_allowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registration_email_as_username bool

    When true, the user's email will be used as their username during registration.

    registration_flow str

    The desired flow for user registration. Defaults to registration.

    remember_me bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    reset_credentials_flow str

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    reset_password_allowed bool

    When true, a "forgot password" link will be displayed on the login page.

    revoke_refresh_token bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    security_defenses RealmSecurityDefensesArgs
    smtp_server RealmSmtpServerArgs
    ssl_required str

    Can be one of following values: 'none, 'external' or 'all'

    sso_session_idle_timeout str

    The amount of time a session can be idle before it expires.

    sso_session_idle_timeout_remember_me str

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    sso_session_max_lifespan str

    The maximum amount of time before a session expires regardless of activity.

    sso_session_max_lifespan_remember_me str

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    user_managed_access bool

    When true, users are allowed to manage their own resources. Defaults to false.

    verify_email bool

    When true, users are required to verify their email address after registration and after email address changes.

    web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    web_authn_policy RealmWebAuthnPolicyArgs

    Configuration for WebAuthn Policy authentication.

    realm String

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    accessCodeLifespan String

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin String

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction String

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan String

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow String

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme String

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan String

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan String

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme String

    Used for the admin console.

    attributes Map<Any>

    A map of custom attributes to add to the realm.

    browserFlow String

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow String

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout String

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes List<String>
    defaultOptionalClientScopes List<String>
    defaultSignatureAlgorithm String

    Default algorithm used to sign tokens for the realm.

    directGrantFlow String

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName String

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml String

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow String

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed Boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed Boolean

    When true, the username field is editable.

    emailTheme String

    Used for emails that are sent by Keycloak.

    enabled Boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId String

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization Property Map
    loginTheme String

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed Boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan String

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval Number

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout String

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan String

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled Boolean

    Enable offline_session_max_lifespan.

    otpPolicy Property Map
    passwordPolicy String

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    refreshTokenMaxReuse Number

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed Boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername Boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow String

    The desired flow for user registration. Defaults to registration.

    rememberMe Boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow String

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed Boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken Boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses Property Map
    smtpServer Property Map
    sslRequired String

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout String

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe String

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe String

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess Boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail Boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy Property Map

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy Property Map

    Configuration for WebAuthn Policy authentication.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the Realm resource produces the following output properties:

    Id string

    The provider-assigned unique ID for this managed resource.

    Id string

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    id string

    The provider-assigned unique ID for this managed resource.

    id str

    The provider-assigned unique ID for this managed resource.

    id String

    The provider-assigned unique ID for this managed resource.

    Look up Existing Realm Resource

    Get an existing Realm resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RealmState, opts?: CustomResourceOptions): Realm
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            access_code_lifespan: Optional[str] = None,
            access_code_lifespan_login: Optional[str] = None,
            access_code_lifespan_user_action: Optional[str] = None,
            access_token_lifespan: Optional[str] = None,
            access_token_lifespan_for_implicit_flow: Optional[str] = None,
            account_theme: Optional[str] = None,
            action_token_generated_by_admin_lifespan: Optional[str] = None,
            action_token_generated_by_user_lifespan: Optional[str] = None,
            admin_theme: Optional[str] = None,
            attributes: Optional[Mapping[str, Any]] = None,
            browser_flow: Optional[str] = None,
            client_authentication_flow: Optional[str] = None,
            client_session_idle_timeout: Optional[str] = None,
            client_session_max_lifespan: Optional[str] = None,
            default_default_client_scopes: Optional[Sequence[str]] = None,
            default_optional_client_scopes: Optional[Sequence[str]] = None,
            default_signature_algorithm: Optional[str] = None,
            direct_grant_flow: Optional[str] = None,
            display_name: Optional[str] = None,
            display_name_html: Optional[str] = None,
            docker_authentication_flow: Optional[str] = None,
            duplicate_emails_allowed: Optional[bool] = None,
            edit_username_allowed: Optional[bool] = None,
            email_theme: Optional[str] = None,
            enabled: Optional[bool] = None,
            internal_id: Optional[str] = None,
            internationalization: Optional[RealmInternationalizationArgs] = None,
            login_theme: Optional[str] = None,
            login_with_email_allowed: Optional[bool] = None,
            oauth2_device_code_lifespan: Optional[str] = None,
            oauth2_device_polling_interval: Optional[int] = None,
            offline_session_idle_timeout: Optional[str] = None,
            offline_session_max_lifespan: Optional[str] = None,
            offline_session_max_lifespan_enabled: Optional[bool] = None,
            otp_policy: Optional[RealmOtpPolicyArgs] = None,
            password_policy: Optional[str] = None,
            realm: Optional[str] = None,
            refresh_token_max_reuse: Optional[int] = None,
            registration_allowed: Optional[bool] = None,
            registration_email_as_username: Optional[bool] = None,
            registration_flow: Optional[str] = None,
            remember_me: Optional[bool] = None,
            reset_credentials_flow: Optional[str] = None,
            reset_password_allowed: Optional[bool] = None,
            revoke_refresh_token: Optional[bool] = None,
            security_defenses: Optional[RealmSecurityDefensesArgs] = None,
            smtp_server: Optional[RealmSmtpServerArgs] = None,
            ssl_required: Optional[str] = None,
            sso_session_idle_timeout: Optional[str] = None,
            sso_session_idle_timeout_remember_me: Optional[str] = None,
            sso_session_max_lifespan: Optional[str] = None,
            sso_session_max_lifespan_remember_me: Optional[str] = None,
            user_managed_access: Optional[bool] = None,
            verify_email: Optional[bool] = None,
            web_authn_passwordless_policy: Optional[RealmWebAuthnPasswordlessPolicyArgs] = None,
            web_authn_policy: Optional[RealmWebAuthnPolicyArgs] = None) -> Realm
    func GetRealm(ctx *Context, name string, id IDInput, state *RealmState, opts ...ResourceOption) (*Realm, error)
    public static Realm Get(string name, Input<string> id, RealmState? state, CustomResourceOptions? opts = null)
    public static Realm get(String name, Output<String> id, RealmState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AccessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    AccessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    AccessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    AccessTokenLifespan string

    The amount of time an access token can be used before it expires.

    AccessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    AccountTheme string

    Used for account management pages.

    ActionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    ActionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    AdminTheme string

    Used for the admin console.

    Attributes Dictionary<string, object>

    A map of custom attributes to add to the realm.

    BrowserFlow string

    The desired flow for browser authentication. Defaults to browser.

    ClientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    ClientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    ClientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    DefaultDefaultClientScopes List<string>
    DefaultOptionalClientScopes List<string>
    DefaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    DirectGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    DisplayName string

    The display name for the realm that is shown when logging in to the admin console.

    DisplayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    DockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    DuplicateEmailsAllowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    EditUsernameAllowed bool

    When true, the username field is editable.

    EmailTheme string

    Used for emails that are sent by Keycloak.

    Enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    InternalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    Internationalization RealmInternationalization
    LoginTheme string

    Used for the login, forgot password, and registration pages.

    LoginWithEmailAllowed bool

    When true, users may log in with their email address.

    Oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    Oauth2DevicePollingInterval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    OfflineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    OfflineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    OfflineSessionMaxLifespanEnabled bool

    Enable offline_session_max_lifespan.

    OtpPolicy RealmOtpPolicy
    PasswordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    RealmName string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    RefreshTokenMaxReuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    RegistrationAllowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    RegistrationEmailAsUsername bool

    When true, the user's email will be used as their username during registration.

    RegistrationFlow string

    The desired flow for user registration. Defaults to registration.

    RememberMe bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    ResetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    ResetPasswordAllowed bool

    When true, a "forgot password" link will be displayed on the login page.

    RevokeRefreshToken bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    SecurityDefenses RealmSecurityDefenses
    SmtpServer RealmSmtpServer
    SslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    SsoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    SsoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    SsoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    SsoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    UserManagedAccess bool

    When true, users are allowed to manage their own resources. Defaults to false.

    VerifyEmail bool

    When true, users are required to verify their email address after registration and after email address changes.

    WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    WebAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    AccessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    AccessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    AccessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    AccessTokenLifespan string

    The amount of time an access token can be used before it expires.

    AccessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    AccountTheme string

    Used for account management pages.

    ActionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    ActionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    AdminTheme string

    Used for the admin console.

    Attributes map[string]interface{}

    A map of custom attributes to add to the realm.

    BrowserFlow string

    The desired flow for browser authentication. Defaults to browser.

    ClientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    ClientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    ClientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    DefaultDefaultClientScopes []string
    DefaultOptionalClientScopes []string
    DefaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    DirectGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    DisplayName string

    The display name for the realm that is shown when logging in to the admin console.

    DisplayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    DockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    DuplicateEmailsAllowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    EditUsernameAllowed bool

    When true, the username field is editable.

    EmailTheme string

    Used for emails that are sent by Keycloak.

    Enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    InternalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    Internationalization RealmInternationalizationArgs
    LoginTheme string

    Used for the login, forgot password, and registration pages.

    LoginWithEmailAllowed bool

    When true, users may log in with their email address.

    Oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    Oauth2DevicePollingInterval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    OfflineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    OfflineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    OfflineSessionMaxLifespanEnabled bool

    Enable offline_session_max_lifespan.

    OtpPolicy RealmOtpPolicyArgs
    PasswordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    Realm string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    RefreshTokenMaxReuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    RegistrationAllowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    RegistrationEmailAsUsername bool

    When true, the user's email will be used as their username during registration.

    RegistrationFlow string

    The desired flow for user registration. Defaults to registration.

    RememberMe bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    ResetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    ResetPasswordAllowed bool

    When true, a "forgot password" link will be displayed on the login page.

    RevokeRefreshToken bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    SecurityDefenses RealmSecurityDefensesArgs
    SmtpServer RealmSmtpServerArgs
    SslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    SsoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    SsoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    SsoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    SsoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    UserManagedAccess bool

    When true, users are allowed to manage their own resources. Defaults to false.

    VerifyEmail bool

    When true, users are required to verify their email address after registration and after email address changes.

    WebAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicyArgs

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    WebAuthnPolicy RealmWebAuthnPolicyArgs

    Configuration for WebAuthn Policy authentication.

    accessCodeLifespan String

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin String

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction String

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan String

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow String

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme String

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan String

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan String

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme String

    Used for the admin console.

    attributes Map<String,Object>

    A map of custom attributes to add to the realm.

    browserFlow String

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow String

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout String

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes List<String>
    defaultOptionalClientScopes List<String>
    defaultSignatureAlgorithm String

    Default algorithm used to sign tokens for the realm.

    directGrantFlow String

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName String

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml String

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow String

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed Boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed Boolean

    When true, the username field is editable.

    emailTheme String

    Used for emails that are sent by Keycloak.

    enabled Boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId String

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalization
    loginTheme String

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed Boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan String

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval Integer

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout String

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan String

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled Boolean

    Enable offline_session_max_lifespan.

    otpPolicy RealmOtpPolicy
    passwordPolicy String

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    realm String

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    refreshTokenMaxReuse Integer

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed Boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername Boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow String

    The desired flow for user registration. Defaults to registration.

    rememberMe Boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow String

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed Boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken Boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses RealmSecurityDefenses
    smtpServer RealmSmtpServer
    sslRequired String

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout String

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe String

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe String

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess Boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail Boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    accessCodeLifespan string

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin string

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction string

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan string

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow string

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme string

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan string

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan string

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme string

    Used for the admin console.

    attributes {[key: string]: any}

    A map of custom attributes to add to the realm.

    browserFlow string

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow string

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout string

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes string[]
    defaultOptionalClientScopes string[]
    defaultSignatureAlgorithm string

    Default algorithm used to sign tokens for the realm.

    directGrantFlow string

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName string

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml string

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow string

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed boolean

    When true, the username field is editable.

    emailTheme string

    Used for emails that are sent by Keycloak.

    enabled boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId string

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalization
    loginTheme string

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan string

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval number

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout string

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan string

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled boolean

    Enable offline_session_max_lifespan.

    otpPolicy RealmOtpPolicy
    passwordPolicy string

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    realm string

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    refreshTokenMaxReuse number

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow string

    The desired flow for user registration. Defaults to registration.

    rememberMe boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow string

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses RealmSecurityDefenses
    smtpServer RealmSmtpServer
    sslRequired string

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout string

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe string

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan string

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe string

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy RealmWebAuthnPasswordlessPolicy

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy RealmWebAuthnPolicy

    Configuration for WebAuthn Policy authentication.

    access_code_lifespan str

    The maximum amount of time a client has to finish the authorization code flow.

    access_code_lifespan_login str

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    access_code_lifespan_user_action str

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    access_token_lifespan str

    The amount of time an access token can be used before it expires.

    access_token_lifespan_for_implicit_flow str

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    account_theme str

    Used for account management pages.

    action_token_generated_by_admin_lifespan str

    The maximum time a user has to use an admin-generated permit before it expires.

    action_token_generated_by_user_lifespan str

    The maximum time a user has to use a user-generated permit before it expires.

    admin_theme str

    Used for the admin console.

    attributes Mapping[str, Any]

    A map of custom attributes to add to the realm.

    browser_flow str

    The desired flow for browser authentication. Defaults to browser.

    client_authentication_flow str

    The desired flow for client authentication. Defaults to clients.

    client_session_idle_timeout str

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    client_session_max_lifespan str

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    default_default_client_scopes Sequence[str]
    default_optional_client_scopes Sequence[str]
    default_signature_algorithm str

    Default algorithm used to sign tokens for the realm.

    direct_grant_flow str

    The desired flow for direct access authentication. Defaults to direct grant.

    display_name str

    The display name for the realm that is shown when logging in to the admin console.

    display_name_html str

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    docker_authentication_flow str

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicate_emails_allowed bool

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    edit_username_allowed bool

    When true, the username field is editable.

    email_theme str

    Used for emails that are sent by Keycloak.

    enabled bool

    When false, users and clients will not be able to access this realm. Defaults to true.

    internal_id str

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization RealmInternationalizationArgs
    login_theme str

    Used for the login, forgot password, and registration pages.

    login_with_email_allowed bool

    When true, users may log in with their email address.

    oauth2_device_code_lifespan str

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2_device_polling_interval int

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offline_session_idle_timeout str

    The amount of time an offline session can be idle before it expires.

    offline_session_max_lifespan str

    The maximum amount of time before an offline session expires regardless of activity.

    offline_session_max_lifespan_enabled bool

    Enable offline_session_max_lifespan.

    otp_policy RealmOtpPolicyArgs
    password_policy str

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    realm str

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    refresh_token_max_reuse int

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registration_allowed bool

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registration_email_as_username bool

    When true, the user's email will be used as their username during registration.

    registration_flow str

    The desired flow for user registration. Defaults to registration.

    remember_me bool

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    reset_credentials_flow str

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    reset_password_allowed bool

    When true, a "forgot password" link will be displayed on the login page.

    revoke_refresh_token bool

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    security_defenses RealmSecurityDefensesArgs
    smtp_server RealmSmtpServerArgs
    ssl_required str

    Can be one of following values: 'none, 'external' or 'all'

    sso_session_idle_timeout str

    The amount of time a session can be idle before it expires.

    sso_session_idle_timeout_remember_me str

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    sso_session_max_lifespan str

    The maximum amount of time before a session expires regardless of activity.

    sso_session_max_lifespan_remember_me str

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    user_managed_access bool

    When true, users are allowed to manage their own resources. Defaults to false.

    verify_email bool

    When true, users are required to verify their email address after registration and after email address changes.

    web_authn_passwordless_policy RealmWebAuthnPasswordlessPolicyArgs

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    web_authn_policy RealmWebAuthnPolicyArgs

    Configuration for WebAuthn Policy authentication.

    accessCodeLifespan String

    The maximum amount of time a client has to finish the authorization code flow.

    accessCodeLifespanLogin String

    The maximum amount of time a user is permitted to stay on the login page before the authentication process must be restarted.

    accessCodeLifespanUserAction String

    The maximum amount of time a user has to complete login related actions, such as updating a password.

    accessTokenLifespan String

    The amount of time an access token can be used before it expires.

    accessTokenLifespanForImplicitFlow String

    The amount of time an access token issued with the OpenID Connect Implicit Flow can be used before it expires.

    accountTheme String

    Used for account management pages.

    actionTokenGeneratedByAdminLifespan String

    The maximum time a user has to use an admin-generated permit before it expires.

    actionTokenGeneratedByUserLifespan String

    The maximum time a user has to use a user-generated permit before it expires.

    adminTheme String

    Used for the admin console.

    attributes Map<Any>

    A map of custom attributes to add to the realm.

    browserFlow String

    The desired flow for browser authentication. Defaults to browser.

    clientAuthenticationFlow String

    The desired flow for client authentication. Defaults to clients.

    clientSessionIdleTimeout String

    The amount of time a session can be idle before it expires. Users can override it for individual clients.

    clientSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity. Users can override it for individual clients.

    defaultDefaultClientScopes List<String>
    defaultOptionalClientScopes List<String>
    defaultSignatureAlgorithm String

    Default algorithm used to sign tokens for the realm.

    directGrantFlow String

    The desired flow for direct access authentication. Defaults to direct grant.

    displayName String

    The display name for the realm that is shown when logging in to the admin console.

    displayNameHtml String

    The display name for the realm that is rendered as HTML on the screen when logging in to the admin console.

    dockerAuthenticationFlow String

    The desired flow for Docker authentication. Defaults to docker auth.

    duplicateEmailsAllowed Boolean

    When true, multiple users will be allowed to have the same email address. This argument must be set to false if login_with_email_allowed is set to true.

    editUsernameAllowed Boolean

    When true, the username field is editable.

    emailTheme String

    Used for emails that are sent by Keycloak.

    enabled Boolean

    When false, users and clients will not be able to access this realm. Defaults to true.

    internalId String

    When specified, this will be used as the realm's internal ID within Keycloak. When not specified, the realm's internal ID will be set to the realm's name.

    internationalization Property Map
    loginTheme String

    Used for the login, forgot password, and registration pages.

    loginWithEmailAllowed Boolean

    When true, users may log in with their email address.

    oauth2DeviceCodeLifespan String

    The maximum amount of time a client has to finish the device code flow before it expires.

    The attributes below should be specified in seconds.

    oauth2DevicePollingInterval Number

    The minimum amount of time in seconds that the client should wait between polling requests to the token endpoint.

    offlineSessionIdleTimeout String

    The amount of time an offline session can be idle before it expires.

    offlineSessionMaxLifespan String

    The maximum amount of time before an offline session expires regardless of activity.

    offlineSessionMaxLifespanEnabled Boolean

    Enable offline_session_max_lifespan.

    otpPolicy Property Map
    passwordPolicy String

    The password policy for users within the realm.

    The arguments below can be used to configure authentication flow bindings:

    realm String

    The name of the realm. This is unique across Keycloak. This will also be used as the realm's internal ID within Keycloak.

    refreshTokenMaxReuse Number

    Maximum number of times a refresh token can be reused before they are revoked. If unspecified and 'revoke_refresh_token' is enabled the default value is 0 and refresh tokens can not be reused.

    The arguments below should be specified as Go duration strings. They will default to Keycloak's default settings.

    registrationAllowed Boolean

    When true, user registration will be enabled, and a link for registration will be displayed on the login page.

    registrationEmailAsUsername Boolean

    When true, the user's email will be used as their username during registration.

    registrationFlow String

    The desired flow for user registration. Defaults to registration.

    rememberMe Boolean

    When true, a "remember me" checkbox will be displayed on the login page, and the user's session will not expire between browser restarts.

    resetCredentialsFlow String

    The desired flow to use when a user attempts to reset their credentials. Defaults to reset credentials.

    resetPasswordAllowed Boolean

    When true, a "forgot password" link will be displayed on the login page.

    revokeRefreshToken Boolean

    If enabled a refresh token can only be used number of times specified in 'refresh_token_max_reuse' before they are revoked. If unspecified, refresh tokens can be reused.

    securityDefenses Property Map
    smtpServer Property Map
    sslRequired String

    Can be one of following values: 'none, 'external' or 'all'

    ssoSessionIdleTimeout String

    The amount of time a session can be idle before it expires.

    ssoSessionIdleTimeoutRememberMe String

    Similar to sso_session_idle_timeout, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_idle_timeout.

    ssoSessionMaxLifespan String

    The maximum amount of time before a session expires regardless of activity.

    ssoSessionMaxLifespanRememberMe String

    Similar to sso_session_max_lifespan, but used when a user clicks "Remember Me". If not set, Keycloak will default to the value of sso_session_max_lifespan.

    userManagedAccess Boolean

    When true, users are allowed to manage their own resources. Defaults to false.

    verifyEmail Boolean

    When true, users are required to verify their email address after registration and after email address changes.

    webAuthnPasswordlessPolicy Property Map

    Configuration for WebAuthn Passwordless Policy authentication.

    Each of these attributes are blocks with the following attributes:

    webAuthnPolicy Property Map

    Configuration for WebAuthn Policy authentication.

    Supporting Types

    RealmInternationalization, RealmInternationalizationArgs

    DefaultLocale string

    The locale to use by default. This locale code must be present within the supported_locales list.

    SupportedLocales List<string>

    A list of ISO 639-1 locale codes that the realm should support.

    DefaultLocale string

    The locale to use by default. This locale code must be present within the supported_locales list.

    SupportedLocales []string

    A list of ISO 639-1 locale codes that the realm should support.

    defaultLocale String

    The locale to use by default. This locale code must be present within the supported_locales list.

    supportedLocales List<String>

    A list of ISO 639-1 locale codes that the realm should support.

    defaultLocale string

    The locale to use by default. This locale code must be present within the supported_locales list.

    supportedLocales string[]

    A list of ISO 639-1 locale codes that the realm should support.

    default_locale str

    The locale to use by default. This locale code must be present within the supported_locales list.

    supported_locales Sequence[str]

    A list of ISO 639-1 locale codes that the realm should support.

    defaultLocale String

    The locale to use by default. This locale code must be present within the supported_locales list.

    supportedLocales List<String>

    A list of ISO 639-1 locale codes that the realm should support.

    RealmOtpPolicy, RealmOtpPolicyArgs

    Algorithm string

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    Digits int

    How many digits the OTP have. Defaults to 6.

    InitialCounter int

    What should the initial counter value be. Defaults to 2.

    LookAheadWindow int

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    Period int

    How many seconds should an OTP token be valid. Defaults to 30.

    Type string

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    Algorithm string

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    Digits int

    How many digits the OTP have. Defaults to 6.

    InitialCounter int

    What should the initial counter value be. Defaults to 2.

    LookAheadWindow int

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    Period int

    How many seconds should an OTP token be valid. Defaults to 30.

    Type string

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    algorithm String

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    digits Integer

    How many digits the OTP have. Defaults to 6.

    initialCounter Integer

    What should the initial counter value be. Defaults to 2.

    lookAheadWindow Integer

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    period Integer

    How many seconds should an OTP token be valid. Defaults to 30.

    type String

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    algorithm string

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    digits number

    How many digits the OTP have. Defaults to 6.

    initialCounter number

    What should the initial counter value be. Defaults to 2.

    lookAheadWindow number

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    period number

    How many seconds should an OTP token be valid. Defaults to 30.

    type string

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    algorithm str

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    digits int

    How many digits the OTP have. Defaults to 6.

    initial_counter int

    What should the initial counter value be. Defaults to 2.

    look_ahead_window int

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    period int

    How many seconds should an OTP token be valid. Defaults to 30.

    type str

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    algorithm String

    What hashing algorithm should be used to generate the OTP, Valid options are HmacSHA1,HmacSHA256 and HmacSHA512. Defaults to HmacSHA1.

    digits Number

    How many digits the OTP have. Defaults to 6.

    initialCounter Number

    What should the initial counter value be. Defaults to 2.

    lookAheadWindow Number

    How far ahead should the server look just in case the token generator and server are out of time sync or counter sync. Defaults to 1.

    period Number

    How many seconds should an OTP token be valid. Defaults to 30.

    type String

    One Time Password Type, supported Values are totp for Time-Based One Time Password and hotp for Counter Based. Defaults to totp.

    RealmSecurityDefenses, RealmSecurityDefensesArgs

    RealmSecurityDefensesBruteForceDetection, RealmSecurityDefensesBruteForceDetectionArgs

    FailureResetTimeSeconds int

    When will failure count be reset?

    MaxFailureWaitSeconds int
    MaxLoginFailures int

    How many failures before wait is triggered.

    MinimumQuickLoginWaitSeconds int

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    PermanentLockout bool

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    QuickLoginCheckMilliSeconds int

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    WaitIncrementSeconds int

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    FailureResetTimeSeconds int

    When will failure count be reset?

    MaxFailureWaitSeconds int
    MaxLoginFailures int

    How many failures before wait is triggered.

    MinimumQuickLoginWaitSeconds int

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    PermanentLockout bool

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    QuickLoginCheckMilliSeconds int

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    WaitIncrementSeconds int

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    failureResetTimeSeconds Integer

    When will failure count be reset?

    maxFailureWaitSeconds Integer
    maxLoginFailures Integer

    How many failures before wait is triggered.

    minimumQuickLoginWaitSeconds Integer

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    permanentLockout Boolean

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    quickLoginCheckMilliSeconds Integer

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    waitIncrementSeconds Integer

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    failureResetTimeSeconds number

    When will failure count be reset?

    maxFailureWaitSeconds number
    maxLoginFailures number

    How many failures before wait is triggered.

    minimumQuickLoginWaitSeconds number

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    permanentLockout boolean

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    quickLoginCheckMilliSeconds number

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    waitIncrementSeconds number

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    failure_reset_time_seconds int

    When will failure count be reset?

    max_failure_wait_seconds int
    max_login_failures int

    How many failures before wait is triggered.

    minimum_quick_login_wait_seconds int

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    permanent_lockout bool

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    quick_login_check_milli_seconds int

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    wait_increment_seconds int

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    failureResetTimeSeconds Number

    When will failure count be reset?

    maxFailureWaitSeconds Number
    maxLoginFailures Number

    How many failures before wait is triggered.

    minimumQuickLoginWaitSeconds Number

    How long to wait after a quick login failure.

    • max_failure_wait_seconds - (Optional) Max. time a user will be locked out.
    permanentLockout Boolean

    When true, this will lock the user permanently when the user exceeds the maximum login failures.

    quickLoginCheckMilliSeconds Number

    Configures the amount of time, in milliseconds, for consecutive failures to lock a user out.

    waitIncrementSeconds Number

    This represents the amount of time a user should be locked out when the login failure threshold has been met.

    RealmSecurityDefensesHeaders, RealmSecurityDefensesHeadersArgs

    ContentSecurityPolicy string

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    ContentSecurityPolicyReportOnly string

    Used for testing Content Security Policies.

    StrictTransportSecurity string

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    XContentTypeOptions string

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    XFrameOptions string

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    XRobotsTag string

    Prevent pages from appearing in search engines.

    XXssProtection string

    This header configures the Cross-site scripting (XSS) filter in your browser.

    ContentSecurityPolicy string

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    ContentSecurityPolicyReportOnly string

    Used for testing Content Security Policies.

    StrictTransportSecurity string

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    XContentTypeOptions string

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    XFrameOptions string

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    XRobotsTag string

    Prevent pages from appearing in search engines.

    XXssProtection string

    This header configures the Cross-site scripting (XSS) filter in your browser.

    contentSecurityPolicy String

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    contentSecurityPolicyReportOnly String

    Used for testing Content Security Policies.

    strictTransportSecurity String

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    xContentTypeOptions String

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    xFrameOptions String

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    xRobotsTag String

    Prevent pages from appearing in search engines.

    xXssProtection String

    This header configures the Cross-site scripting (XSS) filter in your browser.

    contentSecurityPolicy string

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    contentSecurityPolicyReportOnly string

    Used for testing Content Security Policies.

    strictTransportSecurity string

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    xContentTypeOptions string

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    xFrameOptions string

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    xRobotsTag string

    Prevent pages from appearing in search engines.

    xXssProtection string

    This header configures the Cross-site scripting (XSS) filter in your browser.

    content_security_policy str

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    content_security_policy_report_only str

    Used for testing Content Security Policies.

    strict_transport_security str

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    x_content_type_options str

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    x_frame_options str

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    x_robots_tag str

    Prevent pages from appearing in search engines.

    x_xss_protection str

    This header configures the Cross-site scripting (XSS) filter in your browser.

    contentSecurityPolicy String

    Sets the Content Security Policy, which can be used for prevent pages from being included by non-origin iframes. More information can be found in the W3C-CSP Abstract.

    contentSecurityPolicyReportOnly String

    Used for testing Content Security Policies.

    strictTransportSecurity String

    The Script-Transport-Security HTTP header tells browsers to always use HTTPS.

    xContentTypeOptions String

    Sets the X-Content-Type-Options, which can be used for prevent MIME-sniffing a response away from the declared content-type

    xFrameOptions String

    Sets the x-frame-option, which can be used to prevent pages from being included by non-origin iframes. More information can be found in the RFC7034

    xRobotsTag String

    Prevent pages from appearing in search engines.

    xXssProtection String

    This header configures the Cross-site scripting (XSS) filter in your browser.

    RealmSmtpServer, RealmSmtpServerArgs

    From string

    The email address for the sender.

    Host string

    The host of the SMTP server.

    Auth RealmSmtpServerAuth

    Enables authentication to the SMTP server. This block supports the following arguments:

    EnvelopeFrom string

    The email address uses for bounces.

    FromDisplayName string

    The display name of the sender email address.

    Port string

    The port of the SMTP server (defaults to 25).

    ReplyTo string

    The "reply to" email address.

    ReplyToDisplayName string

    The display name of the "reply to" email address.

    Ssl bool

    When true, enables SSL. Defaults to false.

    Starttls bool

    When true, enables StartTLS. Defaults to false.

    From string

    The email address for the sender.

    Host string

    The host of the SMTP server.

    Auth RealmSmtpServerAuth

    Enables authentication to the SMTP server. This block supports the following arguments:

    EnvelopeFrom string

    The email address uses for bounces.

    FromDisplayName string

    The display name of the sender email address.

    Port string

    The port of the SMTP server (defaults to 25).

    ReplyTo string

    The "reply to" email address.

    ReplyToDisplayName string

    The display name of the "reply to" email address.

    Ssl bool

    When true, enables SSL. Defaults to false.

    Starttls bool

    When true, enables StartTLS. Defaults to false.

    from String

    The email address for the sender.

    host String

    The host of the SMTP server.

    auth RealmSmtpServerAuth

    Enables authentication to the SMTP server. This block supports the following arguments:

    envelopeFrom String

    The email address uses for bounces.

    fromDisplayName String

    The display name of the sender email address.

    port String

    The port of the SMTP server (defaults to 25).

    replyTo String

    The "reply to" email address.

    replyToDisplayName String

    The display name of the "reply to" email address.

    ssl Boolean

    When true, enables SSL. Defaults to false.

    starttls Boolean

    When true, enables StartTLS. Defaults to false.

    from string

    The email address for the sender.

    host string

    The host of the SMTP server.

    auth RealmSmtpServerAuth

    Enables authentication to the SMTP server. This block supports the following arguments:

    envelopeFrom string

    The email address uses for bounces.

    fromDisplayName string

    The display name of the sender email address.

    port string

    The port of the SMTP server (defaults to 25).

    replyTo string

    The "reply to" email address.

    replyToDisplayName string

    The display name of the "reply to" email address.

    ssl boolean

    When true, enables SSL. Defaults to false.

    starttls boolean

    When true, enables StartTLS. Defaults to false.

    from_ str

    The email address for the sender.

    host str

    The host of the SMTP server.

    auth RealmSmtpServerAuth

    Enables authentication to the SMTP server. This block supports the following arguments:

    envelope_from str

    The email address uses for bounces.

    from_display_name str

    The display name of the sender email address.

    port str

    The port of the SMTP server (defaults to 25).

    reply_to str

    The "reply to" email address.

    reply_to_display_name str

    The display name of the "reply to" email address.

    ssl bool

    When true, enables SSL. Defaults to false.

    starttls bool

    When true, enables StartTLS. Defaults to false.

    from String

    The email address for the sender.

    host String

    The host of the SMTP server.

    auth Property Map

    Enables authentication to the SMTP server. This block supports the following arguments:

    envelopeFrom String

    The email address uses for bounces.

    fromDisplayName String

    The display name of the sender email address.

    port String

    The port of the SMTP server (defaults to 25).

    replyTo String

    The "reply to" email address.

    replyToDisplayName String

    The display name of the "reply to" email address.

    ssl Boolean

    When true, enables SSL. Defaults to false.

    starttls Boolean

    When true, enables StartTLS. Defaults to false.

    RealmSmtpServerAuth, RealmSmtpServerAuthArgs

    Password string

    The SMTP server password.

    Username string

    The SMTP server username.

    Password string

    The SMTP server password.

    Username string

    The SMTP server username.

    password String

    The SMTP server password.

    username String

    The SMTP server username.

    password string

    The SMTP server password.

    username string

    The SMTP server username.

    password str

    The SMTP server password.

    username str

    The SMTP server username.

    password String

    The SMTP server password.

    username String

    The SMTP server username.

    RealmWebAuthnPasswordlessPolicy, RealmWebAuthnPasswordlessPolicyArgs

    AcceptableAaguids List<string>

    A set of AAGUIDs for which an authenticator can be registered.

    AttestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    AuthenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    AvoidSameAuthenticatorRegister bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    CreateTimeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    RelyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    RelyingPartyId string

    The WebAuthn relying party ID.

    RequireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    SignatureAlgorithms List<string>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    UserVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    AcceptableAaguids []string

    A set of AAGUIDs for which an authenticator can be registered.

    AttestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    AuthenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    AvoidSameAuthenticatorRegister bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    CreateTimeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    RelyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    RelyingPartyId string

    The WebAuthn relying party ID.

    RequireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    SignatureAlgorithms []string

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    UserVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids List<String>

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference String

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment String

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister Boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout Integer

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName String

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId String

    The WebAuthn relying party ID.

    requireResidentKey String

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms List<String>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement String

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids string[]

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout number

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId string

    The WebAuthn relying party ID.

    requireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms string[]

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptable_aaguids Sequence[str]

    A set of AAGUIDs for which an authenticator can be registered.

    attestation_conveyance_preference str

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticator_attachment str

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoid_same_authenticator_register bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    create_timeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relying_party_entity_name str

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relying_party_id str

    The WebAuthn relying party ID.

    require_resident_key str

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signature_algorithms Sequence[str]

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    user_verification_requirement str

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids List<String>

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference String

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment String

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister Boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout Number

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName String

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId String

    The WebAuthn relying party ID.

    requireResidentKey String

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms List<String>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement String

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    RealmWebAuthnPolicy, RealmWebAuthnPolicyArgs

    AcceptableAaguids List<string>

    A set of AAGUIDs for which an authenticator can be registered.

    AttestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    AuthenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    AvoidSameAuthenticatorRegister bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    CreateTimeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    RelyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    RelyingPartyId string

    The WebAuthn relying party ID.

    RequireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    SignatureAlgorithms List<string>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    UserVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    AcceptableAaguids []string

    A set of AAGUIDs for which an authenticator can be registered.

    AttestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    AuthenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    AvoidSameAuthenticatorRegister bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    CreateTimeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    RelyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    RelyingPartyId string

    The WebAuthn relying party ID.

    RequireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    SignatureAlgorithms []string

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    UserVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids List<String>

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference String

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment String

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister Boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout Integer

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName String

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId String

    The WebAuthn relying party ID.

    requireResidentKey String

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms List<String>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement String

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids string[]

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference string

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment string

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout number

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName string

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId string

    The WebAuthn relying party ID.

    requireResidentKey string

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms string[]

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement string

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptable_aaguids Sequence[str]

    A set of AAGUIDs for which an authenticator can be registered.

    attestation_conveyance_preference str

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticator_attachment str

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoid_same_authenticator_register bool

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    create_timeout int

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relying_party_entity_name str

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relying_party_id str

    The WebAuthn relying party ID.

    require_resident_key str

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signature_algorithms Sequence[str]

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    user_verification_requirement str

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    acceptableAaguids List<String>

    A set of AAGUIDs for which an authenticator can be registered.

    attestationConveyancePreference String

    The preference of how to generate a WebAuthn attestation statement. Valid options are not specified, none, indirect, direct, or enterprise. Defaults to not specified.

    authenticatorAttachment String

    The acceptable attachment pattern for the WebAuthn authenticator. Valid options are not specified, platform, or cross-platform. Defaults to not specified.

    avoidSameAuthenticatorRegister Boolean

    When true, Keycloak will avoid registering the authenticator for WebAuthn if it has already been registered. Defaults to false.

    createTimeout Number

    The timeout value for creating a user's public key credential in seconds. When set to 0, this timeout option is not adapted. Defaults to 0.

    relyingPartyEntityName String

    A human readable server name for the WebAuthn Relying Party. Defaults to keycloak.

    relyingPartyId String

    The WebAuthn relying party ID.

    requireResidentKey String

    Specifies whether or not a public key should be created to represent the resident key. Valid options are not specified, Yes, or No. Defaults to not specified.

    signatureAlgorithms List<String>

    A set of signature algorithms that should be used for the authentication assertion. Valid options at the time these docs were written are ES256, ES384, ES512, RS256, RS384, RS512, and RS1.

    userVerificationRequirement String

    Specifies the policy for verifying a user logging in via WebAuthn. Valid options are not specified, required, preferred, or discouraged. Defaults to not specified.

    Import

    Realms can be imported using their name. Examplebash

     $ pulumi import keycloak:index/realm:Realm realm my-realm
    

    Package Details

    Repository
    Keycloak pulumi/pulumi-keycloak
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the keycloak Terraform Provider.

    keycloak logo
    Keycloak v5.2.1 published on Tuesday, Jun 27, 2023 by Pulumi